As paper records have become a thing of the past, there has been an increased focus on digital information and how it is handled. Digital information is easier to leak than hard copies on paper, making it an easier target for hackers and creating new security concerns. In this article, we’ll look at seven types of data leaks and how to prevent them from happening.
How information leaks impact companies and brands
Half of Fortune 500 companies studied by UpGuard were found to be leaking valuable data through public documents. This makes life easier for cybercriminals, who don’t need to go through layers of security to discover whether a company has even more valuable data they can steal. This could put those companies’ customers at risk of threats such as identity theft.
To help keep people’s data safe, data regulations, such as HIPAA and GDPR, set out clear expectations around how companies should be protecting customer data. This means that if information is acquired by hackers due to that company’s negligence, it could lead to financial losses from fines to lost customers.
7 types of information leaks
So how are companies failing to protect their information?
1) Unauthorized insider and external access
By the time Apple is ready to make a surprise announcement at their keynotes, most of the tech press already knows what’s coming. At that point, maybe hundreds of people have seen the new device in internal demos and on the factory floor. Any one of them could leak that information to an excited press for a good price.
Without good controls around who can access which files, it’s easy for sensitive documents and other classified materials to get into the hands of employees or third-party contractors who think they can get away with leaking.
2) Phishing and social engineering tactics
Phishing attacks are one of the oldest tricks in the cyber criminal’s book. You might be used to seeing obviously fake emails in your personal inbox, but if an attacker knows they have a valuable target it’s worth their while to put a lot of effort into the attack.
By faking an email from a legitimate provider, maybe even faking that provider’s site, attackers can trick employees into handing over login details for online accounts.
3) Data leaks from lost or stolen physical devices
In the shift to remote work, more businesses are storing their sensitive data on devices out of their control. If an employee stores company credit cards on their personal password manager, the business depends on that employee to safeguard that software.
And they’re relying on that employee to protect their physical device. If their laptop is stolen from their home or a café, information that could have been protected on an on-premises server is now on a device in a stranger’s hands.
4) Breaches from unsecured databases
Software vulnerabilities can be caused by a lack of good encryption. Unencrypted data is exposed to anyone who’s listening. Data can be exposed in transit (while moving through email, an API, or a phone line) or exposed “at rest”: from an unprotected device or database. If data isn’t encrypted, hackers who gain access to the system can read the data in plain text or copy it to their own device.
This is also why when you’re considering any new SaaS, whether it is purchase order management software, an electronic database, or even your to-do list app, you want to make sure that it has certifications such as ISO/IEC 27001 or it is ISAE 3402 assured.
5) Collaboration and insider data mishandling
Trade secrets or classified documents can leak if an employee is willing to talk to the press for a price. A disgruntled employee might talk to the media or reveal secrets to a competitor. As a precaution, all information on these sensitive subjects should be restricted to employees who need to know it.
6) Supplier or third-party data intrusions
It’s not just your own security you need to worry about. If you trust a third-party vendor with sensitive data, you’re trusting them to protect it. If they fail, your own company could get the blame for it.
7) Public data mining and profiling
If employees are careless about how they’re sharing data online, they could be exposing sensitive documents to the public web. For example, if someone wants to share a Google Doc with an external client they might create a sharing link where anyone with the link can view the document.
Getting access to that document is as easy as guessing the URL. That’s not an issue for hackers who have bots guessing URLs around the clock. And by scraping for information such as emails, hackers can use public information to plan targeted phishing attacks on valuable targets.
Best practices to prevent data breaches
1) Encrypt sensitive data
Sensitive data should be encrypted in transit and at rest. Encryption is very complicated, so for the most part this should all be taken care of by third-party vendors. By using end-to-end encrypted email and scrutinizing cloud providers’ security credentials, companies can make their data illegible to hackers even if they get access to it.
2) Train employees on cybersecurity
The weakest link in any business’s cybersecurity system is a human. By training employees on best practices around device security and password policies, companies can protect themselves from social engineering attacks such as phishing scams.
3) Use multi-factor authentication
By switching on multi-factor authentication across all services, companies can add an extra layer of security to employee devices. If a laptop gets stolen, nobody can access sensitive information without also breaking into the employee’s mobile phone.
4) Regularly update security software
Cybersecurity is an arms race between companies and hackers. That’s why software developers are constantly updating their apps with security-focused updates. If your apps and devices aren’t updated regularly, hackers will exploit old and well-known vulnerabilities to get access to companies’ information.
5) Limit data access based on job roles
Without proper permissions around who can and can’t access data, companies are leaving themselves open to an attack from a malicious insider or a hacker impersonating them.
Mission-critical tools such as data room software or software for time and expense management need to have access controls based on job roles. By limiting access to financial documents to the financial team, companies reduce the number of people who could be hacked to get access to the documents. This makes it harder for a hacker to steal the most important data.
6) Conduct regular security and data audits
Companies can prove their security credentials by undergoing independent audits. This is crucial for any kind of B2B software provider, who needs to convince customers they can be trusted with sensitive data.
There are many ways customer data or other classified material can leak, which could be a PR disaster. By thinking about security in a holistic way that includes encrypted data and employee devices, businesses can protect themselves from a wide range of internal and external threats.